ARTIN AUTOMORPHISMS, CYCLOTOMIC FUNCTION FIELDS, AND 
FOLDED LIST-DECODABLE CODES 



VENKATESAN GURUSWAMI 



Abstract. Algebraic codes that achieve list decoding capacity were recently constructed 
by a careful "folding" of the Reed-Solomon code. The "low-degree" nature of this folding 
operation was crucial to the list decoding algorithm. We show how such folding schemes 
conducive to list decoding arise out of the Artin-Frobenius automorphism at primes in Galois 
extensions. Using this approach, we construct new folded algebraic-geometric codes for list 
decoding based on cyclotomic function fields with a cyclic Galois group. Such function fields 
are obtained by adjoining torsion points of the Carlitz action of an irreducible M £ Fq[r]. 
The Reed-Solomon case corresponds to the simplest such extension (corresponding to the 
case M — T). In the general case, we need to descend to the fixed field of a suitable Galois 
subgroup in order to ensure the existence of many degree one places that can be used for 
encoding. 

Our methods shed new light on algebraic codes and their list decoding, and lead to new 
codes achieving list decoding capacity. Quantitatively, these codes provide list decoding (and 
list recovery/soft decoding) guarantees similar to folded Reed-Solomon codes but with an 
alphabet size that is only polylogarithmic in the block length. In comparison, for folded RS 
codes, the alphabet size is a large polynomial in the block length. This has applications to 
fully explicit (with no brute-force search) binary concatenated codes for list decoding up to 
the Zyablov radius. 
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1. Introduction 

1.1. Context and Motivation. Recent progress in algebraic coding theory [16, 6] has led to 
the construction of explicit codes over large alphabets that achieve list decoding capacity — 
namely, they admit efficient algorithms to correct close to the optimal fraction 1 — i? of errors 
with rate R. The algebraic codes constructed in [6] are folded Reed-Solomon codes, where the 
Reed-Solomon (RS) encoding (/(I), /(t), • • • , /(7"~^)) of a low-degree polynomial / G ]Fq[r] 
is viewed as a codeword of length N = n/m over the alphabet by identifying successive 
blocks of m symbols. Here 7 is a primitive element of the field Fg. 

Simplifying matters somewhat, the principal algebraic engine behind the list decoding algo- 
rithm in [6] was the identity /(tT) = f{TY (mod (T^-^ - 7)), and the fact that {T'i-^ - 7) 
is irreducible over F^. This gave a low-degree algebraic relation between f{T) and fi'jT) in 
the residue field F|j[T]/(r'^~^ — 7). This together with an algebraic relation found by the "in- 
terpolation step" of the decoding enabled finding the list of all relevant message polynomials 
/(T) efficiently. 

One of the main motivations of this work is to gain a deeper understanding of the general 
algebraic principles underlying the above folding, with the hope of extending it to more general 
algebraic-geometric (AG) codes. The latter question is an interesting algebraic question in its 
own right, but is also important for potentially improving the alphabet size of the codes, as 
well as the decoding complexity and output list size of the decoding algorithm. (The large 
complexity and list size of the folded RS decoding algorithm in [6] are a direct consequence of 
the large degree q in the identity relating f{'jT) and f{T).) 

An extension of the Parvaresh-Vardy codes [16] (which were the precursor to the folded RS 
codes) to arbitrary algebraic-geometric codes was achieved in [5]. But in these codes the 
encoding includes the evaluations of an additional function explicitly picked to satisfy a low- 
degree relation over some residue field. This leads to a substantial loss in rate. The crucial 
insight in the construction of folded RS codes was the fact that this additional function could 
just be the closely related function f{jT) — the image of f{T) under the automorphism 

7T of ¥g{T). 

1.2. Summary of our contributions. We explain how folding schemes conducive to list 
decoding (such as the above relation between /(7T) and f{T)) arise out of the Artin-Frobenius 
automorphism at primes in Galois extensions. With the benefit of hindsight, the role of such 
automorphisms in folding algebraic codes is quite natural. In terms of technical contributions, 
we use this approach to construct new list-decodable folded algebraic-geometric codes based 
on cyclotomic function fields with a cyclic Galois group. Cyclotomic function fields [1, 9] 
are obtained by adjoining torsion points of the Carlitz action of an irreducible M S F|j[T]. 
The Reed-Solomon case corresponds to the simplest such extension (corresponding to the case 
M = T). In the general case, we need to descend to the fixed field of a suitable Galois subgroup 
in order to ensure the existence of many degree one places that can be used for encoding. We 
establish some key algebraic lemmas that characterize the desired subfield in terms of the 
appropriate generator ^ in the algebraic closure of Fg(T) and its minimal polynomial over 
¥q(T). We then tackle the computational algebra challenge of computing a representation 
of the subfield and its rational places, and the message space, that is conducive for efficient 
encoding and decoding of the associated algebraic-geometric code. 
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Our constructions lead to some substantial quantitative improvements in the alphabet size 
which we discuss below in Section 1.4. We also make some simplifications in the list decoding 
algorithm and avoid the need of a zero-increasing basis at each code place (Lemma 6.2). 
This, together with several other ideas, lets us implement the list decoding algorithm in 
polynomial time assuming only the natural representation of the code needed for efficient 
encoding, namely a basis for the message space. Computing such a basis remains an interesting 
question in computational function field theory. Our description and analysis of the list 
decoding algorithm in this work is self-contained, though it builds strongly on the framework 
of the algorithms in [23, 16, 5, 6]. 

1.3. Galois extensions and Artin automorphisms. We now briefly discuss how and why 
Artin-Frobenius automorphisms arise in the seemingly distant world of list decoding. In order 
to generalize the Reed-Solomon case, we are after function fields whose automorphisms we 
have a reasonable understanding of. Galois extensions are a natural subclass of function fields 
to consider, with the hope that some automorphism in the Galois group will give a low-degree 
relation over some residue field. Unfortunately, the explicit constructions of good AG codes 
are typically based on a tower of function fields [3, 4], where each step is Galois, but the whole 
extension is not. (Stichtenoth [22] recently showed the existence of a Galois extension with 
the optimal trade-off between genus and number of rational places, but this extension is not, 
and cannot be, cyclic, as we require.) 

In Galois extensions K/F, for each place A' in the extension field K, there is a special and 
important automorphism called the Artin-Frobenius automorphism (see, eg. [13, Chap. 4]) 
that simply powers the residue of any (regular) function at that place. The exponent or degree 
of this map is the norm of the place A F lying below A' . Since the degree dictates the 
complexity of decoding, we would like this norm to be small. On the other hand, the residue 
field at A' needs to be large enough so that the message functions can be uniquely identified 
by their residue modulo A' . The most appealing way to realize this is if the place A is inert, 
i.e., has a unique A' lying above it. However, this condition can only hold if the Galois group 
is cyclic, a rather strong restriction. For example, it is known [2] that even abelian extensions 
must be asymptotically bad. 

In order to construct AG codes, we also need to have a good control of how certain primes split 
in the extension. For cyclotomic function fields, and of course their better known number- 
theoretic counterparts Q{uj) obtained by adjoining a root of unity w, this theory is well devel- 
oped. As mentioned earlier, the cyclotomic function field we use itself has very few rational 
places. So we need to descend to an appropriate subfield where many degree one places of 
Fg(T) split completely, and develop some underlying theory concerning the structure of this 
subfield. 

The Artin-Frobenius automorphism^ is a fundamental notion in algebraic number theory, 
playing a role in Chebatorev density theorem and Dirichlet's theorem on infinitude of primes 
in arithmetic progressions, as well as quadratic and more general reciprocity laws. We find 



Following Rosen [18], we will henceforth refer to the Artin-Frobenius automorphisms as simply Artin 
automorphisms. Many texts (eg. [13]) actually refer to these as Frobenius automorphisms. Since the latter 
term is most commonly associated with automorphism x ^ x'' oi F^™ , we prefer the term Artin automorphism 
to refer to the general notion that applies to all Galois extensions. The association of a place with its Artin- 
Frobenius automorphism is called the Artin map. 
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it rather intriguing that this notion ends up playing an important role in algorithmic coding 
theory as well. 

1.4. Long codes achieving list decoding capacity and explicit binary concatenated 
codes. Quantitatively, our cyclotomic function field codes achieve list decoding (and list 
recovery) guarantees similar to folded RS codes but with an alphabet size that is only polylog- 
arithmic in the block length. In comparison, for folded RS codes, the alphabet size is a large 
polynomial in the block length. We note that Guruswami and Rudra [6] also present capacity- 
achieving codes of rate R for list decoding a fraction (1 — R — e) of errors with alphabet size 
|S| = 2^^/'")'^*^^ , a fixed constant depending only on e. But these codes do not have the strong 
"list recovery" (or more generally, soft decoding) property of folded RS codes. 

Our codes inherit the powerful list recovery property of folded RS codes, which makes them 
very useful as outer codes in concatenation schemes. In fact, due to their small alphabet 
size, they are even better in this role. Indeed, they can serve as outer codes for a family of 
concatenated codes list-decodable up to the Zyablov radius, with no brute-force search for the 
inner codes. This is the first such construction for list decoding. It is similar to the "Justesen- 
style" explicit constructions for rate vs. distance from [11, 20], except even easier, as one can 
use the ensemble of all linear codes instead of the succinct Wozencraft ensemble at the inner 
level of the concatenated scheme. 

1.5. Related work. Codes based on cyclotomic function fields have been considered previ- 
ously in the literature. Some specific (non-asymptotic) constructions of function fields with 
many rational places over small fields Fg {q ^ 5) appear in [14, 15]. Cyclotomic codes based 
on the action of polynomials T"" for small a appear in [17], but decoding algorithms are not 
discussed for these codes, nor are these extensions cyclic as we require. Our approach is more 
general and works based on the action of an arbitrary irreducible polynomial. Exploiting the 
Artin automorphism of cyclotomic fields for an algorithmic purpose is also new to this work. 

Independent of our work, Huang and Narayanan [10] also consider AG codes constructed from 
Galois extensions, and observe how automorphisms of large order can be used for folding such 
codes. To our knowledge, the only instantiation of this approach that improves on folded 
RS codes is the one based on cyclotomic function fields from our work. As an alternate 
approach, they also propose a decoding method that works with folding via automorphisms 
of small order. This involves computing several coefficients of the power series expansion of 
the message function at a low-degree place. Unfortunately, piecing together these coefficients 
into a function could lead to an exponential list size bound. The authors suggest a heuristic 
assumption under which they can show that for a random received word, the expected list size 
and running time are polynomially bounded. 

2. Background on Cyclotomic function fields 

Some basic preliminaries on function fields, valuations and places, Galois extensions, decom- 
position of primes, Artin-Frobenius automorphism, etc. are discussed in Appendix B. In this 
section, we will focus on background material concerning cyclotomic function fields. These 
are the function-field analog of the classic cyclotomic number fields from algebraic number 
theory. This theory was developed by Hayes [9] in 1974 building upon ideas due to Carlitz [1] 
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from the late 1930's. The objective was to develop an explicit class field theory classifying 
all abelian extensions of the rational function field ¥q(T), analogous to classic results for Q 
and imaginary quadratic extensions of Q. The common idea in these results is to allow a ring 
of "integers" in the ground field to act on part of its algebraic closure, and obtain abelian 
extensions by adjoining torsion points of this action. We will now describe these extensions 
of F,(T). 

Let T be an indeterminate over the finite field Fg. Let Rt = ¥q[T] denote the polynomial 
ring, and F = Fg(r) the field of rational functions. Let F'^^ be a fixed algebraic closure of 
F. Let 'End^^{F^) be the ring of Fg-endomorphisms of F^^, thought of as a Fg-vector space. 
We consider two special elements of Endp^ (-F'^'^): (i) the Frobenius automorphism r defined 
by t{z) = z'^ for all z G F^ ^ and (ii) the map [it defined by f^ri^) = Tz for all z £ F^^. 
The substitution T — > r + ht yields a ring homomorphism from Rt to Find^^{F^) given by: 
/(r) I— > /(r + fix)- Using this, we can define the Carlitz action of Rt on F^"^ as follows: For 
M G Rt, 

Cm{z) = M{t + fiT){z) forallzGF^". 

This action endows F^'^ the structure of an itir-module, which is called the Carlitz module. 
For a nonzero polynomial M G Rt, define the set 

Am = {ze F^^ I Cm{z) = 0} , 

to consist of the M-torsion points of F^'^, i.e., the elements annihilated by the Carlitz action of 
M (this is also the set of zeroes of the polynomial Cm{Z) G Rt[Z]). Since Rt is commutative. 
Km is in fact an i?T-submodule of F^^. It is in fact a cyclic iij^-module, naturally isomorphic 
to Rt/{M). 

The cyclotomic function field F{Km) is obtained by adjoining the set Km of M-torsion points 
to F. ^ The following result from [9] summarizes some fundamental facts about cyclotomic 
function fields, stated for the special case when M is irreducible (we will only use such ex- 
tensions). Proofs can also be found in the graduate texts [18, Chap. 12] or [19, Chap. 12]. 
In what follows, we will often use the convention that an irreducible polynomial P G Rt is 
identified with the place of F which is the zero of P, and also denote this place by P. Recall 
that these are all the places of F, with the exception of the place Poo which is the unique 
pole of T. 

Proposition 2.1. Let M G Rt be a nonzero degree d monic polynomial that is irreducible 
over Fg. Let K = F{Km)- Then 

(i) Cm[Z) is a separable polynomial in Z of degree q over Rt, oftheformY.f^^[M,i]Zi 
where the degree of [M,i] as a polynomial in T is q^{d — i). The polynomial ipMiZ) = 
Cm{Z)/Z is irreducible in Rt[Z]. The field K is equal to the splitting field of iPm{Z), 
and is generated by any nonzero element X £ Km , i-c, K = F(\). 

(ii) K/F is a Galois extension of degree (q'^—l) and Gal{K / F) is isomorphic to {Rt/{M))* , 
the cyclic multiplicative group of units of the field Rt / (M) . The Galois automorphism 
ajsf associated with N G {Rt/{M))* is given by o"Ar(A) = Civ(A). 

^It is instructive to compare this with the more familiar setting of cyclotomic number fields. There, one lets 
Z act on the multiplicative group (Q"'^)* with the endomorphism corresponding to n £ Z sending ^ i-^ for 
C £ Q"*^. The n-torsion points now equal {C, G Q*"^ | = l}i i-e-, the n'th roots of unity. Adjoining these gives 
the various cyclotomic number fields. 
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The Galois automorphisms commute with the Carlitz action: for any a G Gal(AyF) 
and A £ Rt, o-(Ca(x)) = C^(fj(x)) for all x £ K. 

(iii) If P £ Rt is a monic irreducible polynomial different from M, then the Artin auto- 
morphism at the place P is equal to a p. 

(iv) The integral closure of Rt in F{X) equals Rt[X]- 

(v) The genus qm of F{Km) satisfies 2gM - 2 = d{q'^ - 2) - ^{q'^ - 1). 

The splitting behavior of primes in the extension F{Am) /F wiU be crucial for our construction. 
We record this separate proposition below. 

Proposition 2.2. Let M G Rt, M 7^ 0, he a monic, irreducible polynomial of degree d. 

(i) (Ramification at M) The place M is totally ramified in the extension F(Am)/F. If 
A G Am is a root of Cm{z) / z and M is the unique place of F{Am) lying above M, 
then X is a M -prime element, i.e., V£^{\) = 1. 

(ii) (Ramification at Poo) The infinite place Poo of F, i.e., the pole of T, splits into 
[q'^ — \) / [q— 1) places of degree one in F{Am)/ F , each with ramification index {q— 1). 
Its decomposition group equals F*. 

(iii) (Splitting at other places) If P £ Rt is a monic irreducible polynomial different from 
M , then P is unramified in F{Am)/F, and splits into {q'^ — 1)// primes of degree 
f ■ deg(-P) where f is the order of P modulo M (i.e., the smallest positive integer e 
such that = 1 (mod M) ). 

3. Reed-Solomon codes as cyclotomic function field codes 

We now discuss how Reed-Solomon codes arise out of the simplest cyclotomic extension 
F{At)/F. This serves both as a warm-up for our later results, and as a method to illustrate 
that one can view the folding employed by Guruswami and Rudra [6] as arising naturally from 
the Artin automorphism at a certain prime in the extension F{At)/F. 

We have At = {u £ F^'^ \ + Tu = 0}. Pick a nonzero A £ At- By Proposition 2.2, the only 
ramified places in F{At)/F are T, and the pole Poo of T. Both of these are totally ramified 
and have a unique place above them in F[At). Denote by Qoo the place above Poo in F{At). 

We have A"^"^ = — T, so A has a pole of order one at Qoo: and no poles elsewhere. The place 
T -|- 1 splits completely into n = q — \ places of degree one in F{At). The evaluation of A at 
these places correspond to the roots of x"^"^ = 1, i.e., to nonzero elements of ¥q. Thus the 
places above T +1 can be described as Pi, P^, • • • , Pyg-2 where 7 is a primitive element of Fg 
and A(P^O = 7* for i = 0, 1, . . . , g - 2. 

For k < q—1, define M.k = {^^Zq f^i^^ I ft ^ ^q}- -^k has q'^ elements, each with at most 
{k — 1) poles at Qoo and no poles elsewhere. Consider the Fg-linear map E'rs : -^fc 
defined as 

i^Rs(/) = (/(Pi),/(P^),--- ,/(P,,-2)) . 

Clearly the above just defines an [n, k]q Reed-Solomon code, consisting of evaluations of poly- 
nomials of degree < A; at elements of F*. 



7 



Consider the place T + 7 of F. The condition (T + 7)-^ = 1 (mod T) is satisfied iff 7-^ = 1, 
which happens iff {q — Therefore, the place T + 7 remains inert in F{At)/F. Let A 

denote the unique place above T + 7 in F{At). The degree of A equals q — I. 

The Artin automorphism at A, aA, is given by (ta(A) = Ct+7(A) = C^{X) = 7A. Note 
that this implies /(Py+i) = cTA(/)(-Py) for ^ i < g — 2. By the property of the Artin 
automorphism, we have crA{f) = (mod A) for all / G i?T[A]. Note that this is same 
as the condition /(7A) = f{Xy (mod (A^~^ — 7)) treating / as a polynomial in A. This 
corresponds to the algebraic relation between f{X) and fi'yX) in the ring Fg[X] that was used 
by Guruswami and Rudra [6] in their decoding algorithm, specifically in the task of finding 
ah f{X) of degree less than k satisfying Q{X, f{X), f{jX)) = for a given Q E ¥g[X, Y, Z]. 
In the cyclotomic language, this corresponds to finding all / G -Rt[A] with < k poles at Qoo 
satisfying Q{f,o-A{f)) = for Q E Rt[X]{Y,Z). Since deg(yl) = g — 1 ^ /c, / is determined 
by its residue at A, and we know (JAif) = (mod A). Therefore, we can find all such / by 
finding the roots of the univariate polynomial Q{Y, Y'^) mod A over the residue field Oa/A. 

4. SUBFIELD CONSTRUCTION FROM CYCLIC CYCLOTOMIC FUNCTION FIELDS 

In this section, we will construct the function field construction that will be used for our 
algebraic-geometric codes, and establish the key algebraic facts concerning it. The approach 
will be to take cyclotomic field K = F[Am) where M is an irreducible of degree d > 1 and 
get a code over ¥g. But the only places of degree 1 in F{Am) are the ones above the pole Poo 
of T. There are only {q'^ — l)/(g — 1) such places above Poo, which is much smaller than the 
genus. So we descend to a subfield where many degree 1 places split completely. This is done 
by taking a subgroup H of (Fg[T]/(M))* with many degree 1 polynomials and considering 
the fixed field E = . For every irreducible N e Rt such that N = N mod M e H, the 
place splits completely in the extension E/F (this follows from the fact that Cat is the 
Artin automorphism at the place A^). This technique has also been used in the previous works 
[17, 14, 15] mentioned in Section 1.5, though our approach is more general and works with 
any irreducible M. The study of algorithms for cyclotomic codes and the role played by the 
Artin automorphism in their list decoding is also novel to our work. 

4.1. Table of parameters. Since there is an unavoidable surfeit of notation and parameters 
used in this section and Section 5, we summarize them for easy reference in Appendix A. 

4.2. Function field construction. Let be a subfield of Fg. Let M G ¥r[T] be a monic 
polynomial that is irreducible over F^ (note that we require M(T) to have coefficients in the 
smaller field F,., but demand irreducibility in the ring Fq[T]). The following lemma follows 
from the general characterization of when binomials T"^ — a are irreducible in Fg[T] [12, Chap. 
3]. 

Lemma 4.1. Let d ^ 1 be an odd integer such that every prime factor of d divides (r — 1) 
and gcd((i, {q — l)/(r — 1)) = 1. Let 'y be a primitive element o/F^. Then T'^ — 7 G ¥r[T] is 
irreducible in ¥g [T] . 

A simple choice for which the above conditions are met is r = 2", g = r^, and d = r — 1 
(we will need a more complicated choice for our list decoding result in Theorem 7.1). For the 
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sake of generality as well as clarity of exposition, we will develop the theory without making 
specific choices for the parameters, a somewhat intricate task we will undertake in Section 7. 

For the rest of this section, fix M{T) = T'^ — 7 as guaranteed by the above lemma. We continue 
with the notation F = Fq(r), Rt = Fg[r], and K = F{Km). Fix a generator A G Km of K/F 
so that K = F{X). 

Let G be the Galois group of K/F, which is isomorphic to the cyclic multiplicative group 
(Fg[r]/(M))*. Let H C G be the subgroup F* • {¥r[T]/{M))* . The cardinality of H is 
(r*^- 1) • 25!. Note that since G is cyclic there is a unique subgroup H of this size. Indeed, if 
r € G is an arbitrary generator of G, then H = {1, P'', F^'', . . . , p?''-!-''} where 

(41) 6 = M = ^.!:^ 

^ ^ \H\ rd-1 q-1- 

Let A € Rt be an arbitrary polynomial such that A mod M is a generator of (Fg[T]/(M))*. 
We can then take F so that F(A) = Ca(A). (We fix a choice of A in the sequel and assume that 
A is pre-computed and known. We will later, in Section 5.3, pick such an A of appropriately 
large degree.) Note that by part (2) of Proposition 2.1, the Galois action commutes with the 
Carlitz action and therefore F-'(A) = C^j(A) for all j ^ 1. Thus knowing the polynomial A 
lets us compute the action of the automorphisms of H on any desired element of = F{X). 

Let E C K he the subfield oi K fixed by the subgroup H, i.e., E = {x G K \ a{x) = x Vcr G H}. 
The field E will be the one used to construct our codes. We first record some basic properties 
of the extension E/F, and how certain places decompose in this extension. 

Proposition 4.2. For E = F{Am)^ , the following properties hold: 

(i) E/F is a Galois extension of degree [E : F] = b. 

(ii) The place M is the only ramified place in E/F, and it is totally ramified with a unique 
place (call it M' ) above it in E. 

(iii) The infinite place Poo of F, i.e., the pole ofT, splits completely into b degree one 
places in E. 

(iv) The genus qe of E equals '^^'^^ + 1- 

(v) For each /? G F^, the place T — (3 of F splits completely into b degree one places in E. 

(vi) If A G Rt is irreducible of degree I ^ \ and A mod M is a primitive element 
of Rt/{M), then the place A is inert in E/F. The Artin automorphism a a at A 
satisfies 

(4.2) aA{x) = (mod A') 

for all X G Oa', where A' is the unique place of E lying above A. 



Proof. By Galois theory, [E : F] = \G\/\H\ = b. Since G is abelian, E/F is Galois with Galois 
group isomorphic to G/H. Since E C K, and M is totally ramified in K, it must also be 
totally ramified in E. The only other place ramified in K is Poo, and since H contains the 
decomposition group F* of Poo, -Poo must split completely in E/F. 

The genus of E is easily computed since E/F is a tamely ramified extension [21, Sec. in.5]. 
Since only the place M of degree d is ramified, we have 2gE — 2 = d{b — 1). 
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Since H D Fr[T], for /3 G F,., the Artin automorphism aT-f3 of the place T — /3 in K/F belongs 
to H. The Artin automorphism of T — /3 in the extension E/F is the restriction of (7T-f3 to 
E, which is trivial since H fixes E. It follows that T — (3 splits completely in E. 

For an irreducible polynomial A G Rt which has order g'^ — 1 modulo Af , by part (3) of 
Proposition 2.2, the place A remains inert in the extension K/F^ and therefore also in the 
sub-extension E/F. Since the degree of the place A equals £, (4.2) follows from the definition 
of the Artin automorphism at ^. □ 

4.3. A generator for E and its properties. We would like to represent elements of E and 
be able to evaluate them at the places above T — (3. To this end, we will exhibit a /i G F^^ 
such that E = F{^) along with defining equation for /i (which will then aid in the evaluations 
of /i at the requisite places) . 

Theorem 4.3. Let A he an arbitrary nonzero element of Km (so that K = F{\)). Define 
(4.3) 1^=X{<\) = CA^)CaA^)---C^,.^,W . 

Then, the fixed field equals E = F{^). The minimal polynomial h{Z) G Rt[Z] of fi over 
F is given by 

6-1 

h{Z) = ll{Z-P{fs)) . 

j=0 

Further, the polynomial h{Z) can be computed in q^^'^^ time. 



Proof. By definition /i is fixed by each n £ H and so fx £ E. Therefore F(fi) C E. 

To show E = F{fj,), we will argue that [F{fi) : F] = b, which in turn follows if we show that 
h{Z) has coefficients in F and is irreducible over F. Since r^(/x) = fi and thus r-'(//) only 
depends on j mod 6, all symmetric functions of {r-'(/i)}^~Q are fixed by F, and thus also by 
all of Ga\{K/F). The coefficients of h(Z) must therefore belong to F. The lemma actually 
claims that the coefficients lie in Rt- To see this, note that for j = 0, 1, . . . , 6 — 1, 

(4.4) F^(^)= n rHA)= n ^A-(A). 

i mod b— J i mod b—j 

Since A and all its Galois conjugates C^i{X) are integral over F, each F-'(/i) is integral over 
F, and thus so is each coefficient of h{Z). But since we already know they belong to F, the 
coefficients must in fact lie in Rt- 

We will prove h{Z) is irreducible over F by showing that it is an Eisenstein polynomial with 
respect to the place M. Since fj, = Xx rio-GHo-^i each j, ^ j < b, is divisible 

by F-'(A) in the ring -Rt[A]. Now F-'(A) = C^j{\) which is divisible by A. By Proposition 2.2, 
A G M, and hence each coefficient of h{Z) belongs to the ideal FCiM = M. (A reminder that 
we are using M to denote both the polynomial in Rt and its associated place.) Therefore, all 
coefficients of h{Z) except the leading coefficient are divisible by M. 
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The constant term of h{Z) equals 

6-1 6-1 6-1 

(4.5) n = n n = n n r^'^'(^) = n ^(^) = 

j=0 j=Qa£H j=0 0^i<(g'*-l)/6 TeG 

where the last step follows since the minimal polynomial of A over F is Il7re&'('^ ~ ^(^))) 
but the minimal polynomial is also Cm{Z)/Z which has M as the constant term. Thus the 
constant term of h{Z) is not divisible by M^. By Eisenstein's criterion, we conclude that h{Z) 
must be irreducible over F. 

Finally, we turn to how the coefficients of h{Z) can be computed efficiently. By the expression 
(4.4), we can compute T^{fi) for 0^j^6— lasa formal polynomial in A with coefficients 
from Rt- We can divide this polynomial by the monic polynomial Cm{^)/^ (formally, over 
the polynomial ring i2r[A]) and represent T^{fJ.) as a polynomial of degree less than (q*^ — 1) 
in A. Using this representation, we can compute the polynomials h^^\Z) = Yl]=oi^ ~ ^-'(/i)) 
for 1 ^ i ^ 6 — 1 iteratively, as an element of Rt [A] [Z] , with all coefficients having degree less 
than {q'^ — 1) in A. When i = b — 1, we would have computed h{Z) — we know at the end all 
the coefficients will have degree in A and belong to Rt- O 

By Equation (4.5) in the above argument, and the fact that VM'i^-' (l^)) = ^M'ilJ^)-, we conclude 
that VM'ilj) = 1, i-e. ^ (as well as each of its Galois conjugates {(i)) is M'-prime. We record 
this fact below. It will be used to prove that the integral closure of Rt in E equals Rt[iA 
(Proposition 5.2), en route characterizing the message space in Theorem 5.1. 

Lemma 4.4. The element // has a simple zero at M' , i.e., VM'if^) = 1- 

With the minimal polynomial h{Z) of fi at our disposal, we turn to computing the evaluations 
of n at the b places above T — P, call them pj^^ for j = 0, 1, . . . , 6 — 1, for each /3 G F^. 
(Recall that the place T — j3 splits completely in E/F by Proposition 4.2, Part (v).) The 
following lemma identifies the set of evaluations of ji at these places. This method is related 
to Kummer's theorem on splitting of primes [21, Sec. III. 3]. 

Lemma 4.5. Consider the polynomial h^^\Z) G obtained by evaluating the coefficients 

of h{Z), which are polynomials in T, at j3. Then h^^\Z) = Y\^=o(^ ~ l-'-i^j^^))- -^'^ particular, 
the set of evaluations of fi at the places above (T — /?) equals the roots of h^f^^ in ¥q, and can 
be computed in b'-'^^^ time given h € Rt[Z]. 

Proof We know h{Z) = n?=o(^ " Therefore 

U^\z) = lliz - P(,.)(p(^))) = li{z- ,.(r-^-(p(^)))) = liiz - f,{pf^)) 

j=0 j=0 j=0 

where the last step uses the fact that r~''(PQ^^) for j = 0,1, . . . ,b — 1 is precisely the set of 
places above T — (5. □ 
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5. Code construction from cyclotomic function field 



We will now describe the algebraic-geometric codes based on the function field E. A tempting 
choice for the message space is perhaps {YaZq o-ii'^)^^^} C RrifA where ai{T) are polynomials 
of some bounded degree. This is certainly a Fg-linear space and messages in this space have 
no poles outside the places lying above Poo- However, the valuations of /x at these places is 
complicated (one needs the Newton polygon method to estimate these [19, Sec. 12.4]), and 
since /U has both zeroes and poles amongst these places, it is hard to get good bounds on the 
total pole order of such messages at each of the places above Poo • 



5.1. Message space. Let M' be the unique totally ramified place M' in E lying above M; 
deg(M') = deg(Af) = d. We will use as message space elements of PtM that have no 
more than a certain number i of poles at the place M' and no poles elsewhere. These can 
equivalently be thought of (via a natural correspondence) as elements of E that have bounded 
(depending on £) pole order at each place above Poo, and no poles elsewhere, and we can 
develop our codes and algorithms in this equivalent setting. Since the literature on AG codes 
typically focuses on one-point codes where the messages have poles at a unique place, we work 
with functions with poles restricted to M'. 

Formally, for an integer i ^ 1, let C{iM') be the space of functions in E that have no poles 
outside M' and at most i poles at M' . C{£M') is an Fg-vector space, and by the Riemann- 
Roch theorem, dim(£(^M')) ^ id — g-\-l, where g = d{b— l)/2 + 1 is the genus of E. We will 
assume that i ^ b, in which case dim(£(£M')) = id — g + 1. 

We will represent the code by a basis of C{iM') over Fg. Of course, we first need to understand 
how to represent a single function in C{iM'). The following lemma suggest a representation 
for elements of C{iM') that we can use. 

Theorem 5.1. A function f in E with poles only at M' has a unique representation of the 
form 

\r^b— 1 i 

(5.1) / = ^|?^ 

where e ^ is an integer, each ai G Rt, and not all the Oj 's are divisible by M (as polynomials 
in T). 



Proof. If / has poles only at M', there must be a smallest integer e ^ such that M'^f has 
no poles outside the places above Poo- This means that M^/ must be in the integral closure 
("ring of integers") of Rt in E, i.e., the minimal polynomial of M^f over Rt is monic. The 
claim will follow once we establish that the integral closure of Rt in E equals P^Mi which 
we show next in Proposition 5.2. The uniqueness follows since {1,/i, . . . forms a basis 

of E over F. □ 

Proposition 5.2. The integral closure of Rt in E equals Rt[iA = |X^i=o ^i/^^* I ^ Pt|- 

Proof. The minimal polynomial h{Z) of /i over Rt is monic (Theorem 4.3). Thus /i is integral 
over Rt, and so RtIiA is contained in the integral closure of Rt in E. We turn to proving the 
reverse inclusion. The proof follows along the lines of a similar argument used to prove that 
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the integral closure of Rt in K = F{X) equals iirl^] [l^i Prop. 12.9]. Let lo £ E he integral 
over Rt- We know that {l,/i,/i^, . . . is a basis for E over F. Also fi, and therefore 

each /i*, is integral over F. By virtue of these facts, it is known (see, for example, [13, Chap. 
2]) that there exist Oj € Rt such that lo = Si=o '^^Z^* where A G Rt is the discriminant of 
the extension E/F. As M is the only ramified place in the extension E/F, the discriminant 
A is a power of M up to units, and by assuming wlog that A is monic, we can conclude that 
A = for some exponent e' ^ 0. Thus we have 

6-1 

(5.2) M'^'w = ^ Oj//* 

j=0 

with Oj G Rt, and not all the Oj's are divisible by M. 

Our goal is to show that e' = 0. We will do this by comparing the valuations vm' of the both 
sides of (5.2). We have 

(5.3) VM'iM'^'uj) = VM'{M^') + vm{uj) = be' + vm{uj) ^ be' . 

Let if), ^ io < b, he the smallest value of i such that VM{o-i) = 0. Such an io must exist since 
not all the Oj's are divisible by M. By Lemma 4.4, VM'ifJ') = !> and so 

VM'iaifi') = VM'{ai) + i = bvuiai) + i . 

For i = io, VM'iaio^i^°) = io- For i < io, VM'iai^"-) ^ bvuiai) ^ b > io (since vuiai) ^ 1 for 
i < io)- For i > io, vj[i'{aifi^) ^ vj[i'{fi^) = i > io- It follows that 

6-1 

(5.4) VM' cLifJ-l = min v m' {ani'') = io 

Combining (5.3) and (5.4), we conclude b > io ^ be' which implies e' = 0. □ 

5.2. Succinctness of representation. In order to be able to efficiently compute with the 
representation (5.1) of functions in C{(.M'), we need the guarantee that the representation 
will be succinct, i.e., of size polynomial in the code length. We show that this will be the case 
by obtaining an upper bound on the degree of the coefficients G Rt in Lemma 5.3 below. 
This is not as straightforward as one might hope, and we thank G. Anderson and D. Thakur 
for help with its proof. For the choice of parameters we will make (in Theorems 6.10 and 7.1), 
this upper bound will be polynomially bounded in the code length. Therefore, the assumed 
representation of the basis functions is of polynomial size. 

Lemma 5.3. Suppose f G C{£M') is given by f = Yl'iZo '^i/^* f^''" ^ (not all divisible 
by M ) and e ^ 0. Then the degree of each ai is at most £ + q'^b. 

Proof. Let g = f = Ym^o ciifi^. We know that g has at most eb poles at each place of E 
that lies above Poo (since / has no poles at these places). Using the fact that / has at most 
i poles at M' , and the uniqueness of the representation / = l^i=o o^i/^*) it is easy to argue 
that eb ^ £ + b. So, g has at most i -\-b poles at each place of E lying above Poo- 

Let cr = aA', we know that cj is a generator of Gal(£'/P). For j = 0, 1, . . . , 6 — 1, we have 
(^Hd) — Si=o '^i^'' (a**)- Let a = (ao, ai, . . . , a6-i)"^ be the (column) vector of coefficients, 
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and let g = {g,a{g), ... ^{g))'^. Denoting by $ the 6x6 matrix with = cr^{fJ,^) for 
^ i, J ^ 6 — 1, we have the system of equations <I>a = b. 

We can thus determine the coefficients by solving this linear system. By Cramer's rule, 
tti = det($i)/det($) where is obtained by replacing the i'th column of $ by the column 
vector g. The square of the denominator det(<l>) is the discriminant of the field extension 
E/F, and belongs to Rt- Thus the degree of aj is at most the pole order of det($i) at an 
arbitrary place, say P, above Pqo- By the definition (4.3) of /i, and the fact that A and its 
conjugates have at most one pole at the places above Poo in ^{Am), it follows that fx has at 
most {q*^ — l)/6 poles at P. The same holds for all its conjugates cr^{fJ.). The function g and 
its conjugates (T^{g) have at most i + b poles at P. In all, this yields a crude upper bound of 

for the pole order of det(<I>i) at P, and hence also the degree of the polynomial aj G Rt- □ 

5.3. Rational places for encoding and their ordering. So far, the polynomial A £ Rt 
was any monic irreducible polynomial that was a primitive element modulo M, so that its 
Artin automorphism a a generates Gal{E/F). We will now pick A to have degree D satisfying 
D > This can be done by a Las Vegas algorithm in {Dq'^)'^^^^ time by picking a random 
polynomial and checking that it works, or deterministically by brute force in time. 
Either of these lies within the decoding time claimed in Theorem 6.10, and will be polynomial 
in the block length for our parameter choices in Theorem 7.1. By Proposition 2.1, A remains 
inert in E/F, and let us denote by A' the unique place of E that lies over A. The degree of 
A' equals Db. 

For each /? € F^, fix an arbitrary place Pq^'^ lying above T — (3 \n E. For j = 0, 1, . . . , 6 — 1, 
define 

(5.5) pf = 'y-A'{P^'^)- 

Since Ga\{E/F) acts transitively on the set of primes above a prime, and a a generates 
Gal(£^/F), these constitute all the places above T — (5. Lemma 4.5 already tells us the set of 
evaluations of at these places, but not which evaluation corresponds to which point. We 
have ii{a~^^ {Pq^^)) = (t\{ii){Pq^^); hence, to compute the evaluations of at all these b places 
as per the ordering (5.5), it suffices to know 

(i) the value at ii{Pq^^), which we can find by simply picking one one of the roots from 
Lemma 4.5 arbitrarily, and 

(ii) a representation of o"a(/^) as an element of Rt[^A (since (ta{ij) is integral over Rt, it 
belongs to Rt[iA by virtue of Proposition 5.2). Note that T(Pq^^) = (3, so once we 
know /i(Po^^^)> 

we can evaluate any element of Rt [/i] at Pq^^ . 
We now show that (ta{i-l) G -Rt[/w] can be computed efficiently. 

Lemma 5.4. (i) The values of ct\{ij) for ^ j ^ 6 — 1 as elements of Rt\iA co'^ be 
computed in q^^'^^ time. 
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(ii) The values fi{Pj^^) for /3 G and j = 0,1, . . . ,b — 1 can be computed in q^'^'^'l time. 
Knowing these values, we can compute any function in the message space C{IM') 
represented in the form (5.1) at the places pj^^ in poly(£, q*^) time. 

Proof. Part (ii) follows from Part (i) and the discussion above. To prove Part (i), note that once 
we compute o"^(/i), we can recursively compute c;^(^) for j ^ 2, using the relation h{fi) = to 
replace fJ' and higher powers of fi in terms of 1, ^, ... , fJ'~^. By definition (4.3), we have fi = 
Ylo^i<:(qd_iy^Cj^ib modA/(^)- Thus One Can compute an expression ^ = X^^=o^ejA* G Rt[^] 
with coefficients Ci £ Rt in q^^'^^ time. By successive multiplication in the ring iiriA] (using 
the relation CmW = to express A*^ ~^ and higher powers in terms of 1, A, . . . , A"^ ~^), we 
can compute, for / = 0, 1, . . . , 6 — 1, expressions /x' = Yl'i=o'^ ^n^^ with en G Rt in q'^^'^^ time. 



We have cr^(/i) = Yli=o ei'^A(A)* = Yli=o ^i^A mod A/(A)*. So one can likewise compute an 
expression (Ta(/x) = X]i=o^ /jA* with /j G Rt in q'-"^'^^ time. The task now is to re-express this 
expression for aAifJ') as an element of RtIiA^ of the form Yl'i=o ^il^^^ "unknowns" ai G -Rt 
that are to be determined. We will argue that this can be accomplished by solving a linear 
system. 

Indeed, using the above expressions //^ = Yll=o'^ ejjA*, the coefficients ai satisfy the following 
system of linear equations over Rt- 

b-l 



(5.6) '^euai = fi for i = 0, 1, 

1=0 



Since the representation (ta(^) = Yl^i=o unique, the system has a unique solution. By 

Cramer's rule, the degree of each a/ is at most q'-'^'^\ Therefore, we can express the system 

(5.6) as a linear system of size q^^'^^ over Fg in unknowns the coefficients of all the polynomials 
ai G Rt- By solving this system in q^^'^^ time, we can compute the representation of o"yi(/u) 
as an element of Rt [/x] . □ 

5.4. The basic cyclotomic AG code. The basic AG code based on subfield E of the 
cyclotomic function field F{Km) is defined as 

(5.7) c° = |(/(p,(^)))^_ . I f£C{m'] 



f3eFr,0^j<b 



where the ordering of the places Pj^^ above T — /3 is as in (5.5). We record the standard 
parameters of the above algebraic-geometric code, which follows from Riemann-Roch, the 
genus of E from Proposition 4.2, and the fact a nonzero / G C{iM') can have at most 
i ■ deg(M') = id zeroes. 

Lemma 5.5. Let £ ^ 6. is an ¥q-linear code of block length n = rb, dimension k = 
id — d{b — l)/2, and distance at least n — id. 



Lemma 5.4, Part (ii), implies the following. 
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Lemma 5.6 (Efficient encoding). Given a basis for the message space C{IM') represented in 
the form (5.1), the generator matrix of the cyclotomic code can be computed in poly(£, q'^, q^) 
time. 

5.5. The folded cyclotomic code. Let m ^ 1 be an integer. For convenience, we assume 
m\b (though this is not really necessary). Analogous to the construction of folded Reed- 
Solomon codes [6], the folded cyclotomic code C is obtained from by bundling together 
successive m-tuples of symbols into a single symbol to give a code of length N = n/m over 
F^. Formally, 

(5.8) C = \(f{Pi^y)J{Pi%,),... J{Pi^l^_,)) \feC{m')] 

We will index the N positions of codewords in C by pairs (/3, i) for /? G and z G {0, 1, . . . , — — 
!}• 

The generator matrix of unfolded code C^, which can be computed given a basis for C{IM') 
as per Lemma 5.6, obviously suffices for encoding. We will later on argue that the same 
representation also suffices for polynomial time list decoding. 

5.6. Folding and Artin-Probenius automorphism. The unique place A' lying above A 
has degree D' =' Db. The residue field at A' , denote it K^i, is isomorphic to F^d^. By our 
choice Db > id. This immediately implies a message in C{iM') is uniquely determined by its 
evaluation at A' . 

Lemma 5.7. The map ev^/ : C{iM') — > Ka' given by ev^/(/) = f{A') is one-one. 

The key algebraic property of our folding is the following. 
Lemma 5.8. For every f G C{£M'): 

(i) For every /3 G F^ andOi^j<b-l, aA{f){Pj'^^) = fiPj+i)- 

(ii) aA{f){A') = fiAy''. 

Proof. The first part follows since we ordered the places above T — (3 such that P^^i = 

The second part follows from the property of the Artin automorphism at A, since the norm 
of the place A equals q'^"^^^'^ = q^ . (A nice discussion of the Artin-Frobenius automorphism, 
albeit in the setting of number fields, appears in [13, Chap. 4].) □ 

6. List decoding algorithm 

We now turn to list decoding the folded cyclotomic code C defined in (5.8). The underlying 
approach is similar to that of the algorithm for list decoding folded RS codes [6] and algebraic- 
geometric generalizations of Parvaresh-Vardy codes [16, 5]. We will therefore not repeat 
the entire rationale and motivation behind the algorithm development. But our technical 



16 



presentation and analysis is self-contained. In fact, our presentation here does offer some 
simplifications over previous descriptions of AG list decoding algorithms from [7, 8, 5]. A 
principal strength of the new description is that it avoids the use of zero-increasing bases at 
each code place Pj^'^ ■ This simplifies the algorithm as well as the representation of the code 
needed for decoding. 

The list decoding problem for C up to e errors corresponds to solving the following function 
reconstruction problem. Recall that the length of the code is N = n/m = rb/m, and the 
codeword positions are indexed by x {0, 1, . . . , ^ — 1}. 

Input: Collection T of iV tuples (y^r^lyH^j^^, ■ ■ ■ ,y^f^+„^_l) G K 1^ ^ and 
^ I < b/m 

Output: A list of all / G C{iM') whose encoding as per C agrees with the z)'th 
tuple for at least N — e codeword positions. 

6.1. Algorithm description. We describe the algorithm at a high level below and later 
justify how the individual steps can be implemented efficiently, and under what condition 
the decoding will succeed. We stress that regardless of complexity considerations, even the 
combinatorial list-decodability property "proved" by the algorithm is non-trivial. 

Algorithm List-Decode(C): (uses the following parameters): 

• an integer parameter s, 2 ^ s ^ m, for s-variate interpolation 

• an integer parameter w ^ 1 that governs the zero order (multiplicity) guaranteed by 
interpolation 

• an integer parameter A ^ 1 which is the total degree of the interpolated s-variate 
polynomial 

Step 1: (Interpolation) Find a nonzero polynomial Q{Zi, Z2, ■ ■ ■ , Zg) of total degree at 
most A with coefficients in C{iM') such that for each jS S F,., ^ z < 6/m, and 
/ G {0, 1, . . . , m — s}, the shifted polynomial 

(6-1) Q{Zi + Z, + yi%,^,, • • • , + yi%,^,_,) 

has the property that the coefficient of the monomial Z"^ ^ • • • Z"" vanishes at 

Pmi+i' whenever its total degree ni + n2 + • • • + ng < w . 

Step 2: (Root-finding) Find a list of all / G C{^M') satisfying 

g(/,aA(/),...,a^.-i(/)) = 0. 

Output those whose encoding as per the code C agrees with at least A'' — e of the 
m-tuples in T. 

6.2. Analysis of error-correction radius. 

Lemma 6.1. // A;(A + I)'* ^ N{m - s + l){w + s - If (where, recall, k = id - d{b - l)/2 is 
the dimension of C{IM') ), then a nonzero polynomial Q with the stated properties exists. If 
we know the evaluations of the functions in a basis {(pi, (j)2, ■ ■ ■ , 4>k} of C{iM') at the places 
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Pj^\ then such a Q can be found by solving a homogeneous system of linear equations over 
Fq with at most Nm{w + sY equations and unknowns. 

Proof. The proof is standard and follows by counting degrees of freedom vs. number of 
constraints. One can express the desired polynomial as Q{ni,...,ns)^i^ ' ' ' with 

unknowns q(ni,...,ns) ^ ^q- The number of coefficients is > A:(A + l)'^/s!. For each place 

-P^+jo one can express the required condition at that place by C""*^^"^) linear conditions (this 
quantity is the number of monomials of total degree < w), for a total of 

N{m-s + l){ ]<N{m-s + l)- ' 



s J ~ ' s! 

constraints. When the number of unknowns exceeds the number of constraints, a nonzero 
solution must exist. A solution can also be found efficiently once the linear system is set 
up, which can clearly be done if we know the evaluations of ^i's at the code places (i.e., a 
"generator matrix" of the code). □ 

Lemma 6.2. Let Q be the polynomial found in Step 1. If the encoding of some f as per C 
agrees with (y™ , y^^+i, • • • , for some position (/3, i), then Q{f, cta(/), . . . , cr^=-i (/)) 

has at least w zeroes at each of the (m — s + 1) places P^^^, for j' = 0, 1, . . . , m — s. 

Proof. The proof differs slightly from earlier proofs of similar statements (eg., [5, Lemma 6.6]) 
in that it avoids the use of zero-increasing bases and is thus simpler. We will prove the claim 
for j' = 0, and the same proof works for any / ^ m — s. Note that agreement on the m-tuple 
at position (b, i) implies that 

J mi I timi I J rm+lJ fmi+l' ' J mi+s—lJ tirm+s—1 ■ 

By Lemma 5.8, Part (i), this implies 

fiPk^i^) = y^r^}, ^A{f){Pk^:>) = ill, • • • , crAs-.{f){Pk^:>) = ii,_i . 
Denote by Q* the shifted polynomial (6.1) for the triple {(3,i,0). We have 

Q{f, aAif), . . . , a^.-i (/)) = Q*{f- ylilcTAif) - ill, • • • , aX\f) - il,_i) 

= E <n„...,n.)(/ - fiPrn'^'i^Aif) - crA{f){Pk'J)r ' " " " ^A^- (/) (^if.^))"^ 

ni,n2,...,ns 
w^n2^-\ l-Tig ^ A 

for some coefficients g^^^ ^ ^ G Fg. Each term of the function in the last expression clearly 

has valuation at least w at Pmi , and hence so does Q{f,o-A{f), ■ ■ ■ ,fAs-i(/))- ^ 

Lemma 6.3. // the encoding of f £ C{£M') has at least N — e agreements with the input 
tuples T, and {N - e)(m - s + l)w > d£(A + 1), then Q{f,aA{f),-- ■,crA=-^{f)) = 0- 

Proof. Since / has no poles outside M' , neither do (JA^if) foi' 1 ^ ^ < s. Moreover, 
^M'i'^Aif)) = '^(t"^(m')(/) ~ VM'if) (since M' is the unique place above M and is thus fixed 



'A 



by every Galois automorphism). Since / G C{£M'), this implies crAi{f) G C{£M') for every i. 
Since each coefficient of Q also belongs to jC{iM'), we conclude that Q{f, o'a(/), • • • , fA^-i (/)) ^ 
C{{i + £A)M'). On the other hand, by Lemma 6.2, (5(/, crA(/), • • • , Cy^s-i (/)) has at least 
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{N-e){m-s + l)w zeroes. If {N - e){m- s + l)w > £{A + l)d, then Q{f,aA{f),-- . ,cr^s-i(/)) 
has more zeroes than poles and must thus equal 0. □ 

Putting together the above lemmas, we can conclude the following about the list decoding 
radius guaranteed by the algorithm. Note that we have not yet discussed how Step 2 may be 
implemented, or why it implies a reasonable bound on the output list size. We will do this in 
Section 6.3. 

Theorem 6.4. For every s, 2 ^ s ^ m, and any > 0, for the choice w = \s/Q\ and a 
suitable choice of the parameter A, the algorithm List-Decode(C) successfully list decodes up 
to e errors whenever 



Proof. Picking w = \s/Q\ and A + 1 



-^-T J {w + s-l) 



the requirement of 



Lemma 6.1 is met. By Lemma 5.5, the dimension k satisfies id = k + d{b— l)/2. A straightfor- 
ward computation reveals that for this choice, the bound (6.2) implies the decoding condition 
{N — e)(m — s + l)w > id(A + 1) under which Lemma 6.3 guarantees successful decoding. □ 

Remark 6.5. The above error-correction radius is non-trivial only when s ^ 2. We will see 
later how to pick parameters so that the error fraction approaches 1 — For AG codes, 

even s = 1 led to a non-trivial guarantee of about 1 — in [7], and for folded Reed-Solomon 
codes the error fraction with s-variate interpolation was 1 — R^^^^~^^h The weaker bound we 
get is due to restricting the pole order of coefficients of Q to at most i, the number of poles 
allowed for messages. This is similar to the algorithm in [5, Sec. 5]. Since we let grow s 
anyway, this does not hurt us. It also avoids some difficult technical complications that would 
arise otherwise (discussed, eg. in [5]), and allows implementing the interpolation step just 
using the natural generator matrix of the code. 

6.3. Root-finding using the Artin automorphism. So far we have not discussed how 
Step 2 of decoding can be performed, and why in particular it implies a reasonably small 
upper bound on the number of solutions / € C{iM') that it may find in the worst-case. We 
address this now. This is where the properties of the Artin automorphism will play a 
crucial role. Recall (i) K^/ = Oa'/A' denotes the residue field at the place A' of E lying above 
A, and (ii) we picked A so that D = deg{A) obeyed Db > id. 

Lemma 6.6. Suppose f G Oa' satisfies 

Q(/,aA(/),...,cT^.-i(/)) = 

for some Q G Oa'[Zi, Z2, . . . , Zs]. Let Q G Ka'[Zi, Z2, . . . , Zs] be the polynomial obtained by 
reducing the coefficients of Q modulo A'. Then f{A') G Ka' obeys 

(6.3) Q{f{A'),f{Ar'',f{Ay,--- ,/(A0«"*^"") = . 



Proof If Q{f,aA{f),...,aAs~i{f)) = 0, then surely Q{f{A'),aA{f){A'),--- , a^.-i (/)(A')) = 
0. The claim (6.3) now follows immediately from Lemma 5.8, Part (ii). □ 
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Lemma 6.7. If Q[Zi, . . . , Zs) is a nonzero polynomial of total degree at most A < all of 
whose coefficients belong to C{iM'), then the polynomial G defined as 

is a nonzero polynomial of degree at most A • q^^'^~^\ 

Proof. If "0 G C{IM') is nonzero, then ip{A') ^ 0. (Otherwise, the degree of zero divisor of 
-0 will be at least deg(A') = hD > Id, and thus exceed the degree of the pole divisor of ij:.) 
It follows that if Q 7^ 0, then Q{Zi, . . . , Zg) obtained by reducing coefficients of Q modulo A! 
is also nonzero.^ Since the degree of Q in each Zi is at most A < , it is easy to see that 
$(y) = Q{Y, • • • , y?^''' is also nonzero. The degree of $ is at ^^(■^"i) times the total 
degree of Q, which is at most A. □ 

By the above two lemmas, we see that one can compute the set of residues f{A') of all / 
satisfying Q{f ,(JA{f)-, ■ ■ ■ = by computing the roots in Kj^/ of ^(Y). Since ev^/ 

is injective on C{iM') (Lemma 5.7), this also lets us recover the message / £ C{iM'). 

Lemma 6.8. Given a nonzero polynomial Q{Zi, . . . , Zg) with coefficients from C{iM') and 
degree A < q^ , the set of functions 

5 = {/ G cm') I Q(/,cta(/), . . . ,a^«-i(/)) = 0} 

has cardinality at most q^'^ . 

Moreover, knowing the evaluations of a basis B = {^i, 4>2, • • • , 4>k} of C{£M') at the place A' , 
one can compute the coefficients expressing each f E S in the basis B in q^(^^^ time. 

Proof. As argued above, any desired / G C{£M') has the property that ^{f{A')) = 0, so the 
evaluations of functions in S take at most degree(<&) ^ Aq^^'^~^^ ^ g-^* values. Since ev^/ 
is injective on S, this implies |5| ^ q^^. The second part follows since we can compute the 
roots of $ in K^i in time poly(g'^*, log l-R'yi'l) ^ q^'^^^\ Knowing f{A'), we can recover / (in 
terms of the basis B) by solving a linear system if we know the evaluations of the functions in 
the basis B at A' . The next section discusses a convenient representation for computations in 
Ka'. □ 

6.3.1. Representation of the residue field K^' ■ The following gives a convenient representation 
for elements of K^' which can be used in computations involving this field. 

Lemma 6.9. The elements {1, fi{A), fi{A)^~^} form a basis for Ka' over the field Rt / (A) ~ 
FgD . In other words, elements of Ka' can be expressed in a unique way as 

6-1 

Y^b,iT)f,{Ay 

where each bi G Rt has degree less than D. 



This is simplicity we gain by restricting the coefficients of Q to also belong to £{£M') 
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Proof. Since A is inert in E/F, the minimal polynomial h{Z) of fi over F has the property 
that h{Z), obtained by reducing the coefficients of h modulo A, is irreducible over the residue 
field Rt/{A) . Thus ^{A) generates K^' over Rt/{A), and in fact minimal polynomial of 
^{A) w.r.t to Ka equals h{Z). Note that the coefficients of /i, which belong to Rt/{A), have 
a natural representation as a polynomial in Rt of degree < deg{A) = D. □ 



We note that given the representation of the basis B = {(/>i, (/)2, . . . , 4>k} in the form guaranteed 
by Theorem 5.1, one can trivially compute the evaluations of (i)i{A') in the above form. There 
is no need to explicitly compute iJi{A) G Oa/A. Therefore, the decoding algorithm requires 
no additional pre-processed information beyond a basis for the message space C{IM') — the 
rest can all be computed efficiently from the basis alone. 



6.4. Wrap-up. We are now ready to state our final decoding claim. 

Theorem 6.10. For any s, 2 ^ s ^ in, and C > 0, the folded cyclotomic code C C (F^)^ 
defined in (5.8) can he list decoded in time {Nm)'-"^^\s /Q^^^^ + q'-"^^^^ from a fraction p of 
errors 



— s + 1/ \ 2i?o'^, 

where Rq = k/n is the rate of the code. The size of the output list is at most q^^ . The 
decoding algorithm assumes polynomial amount of pre-processed information consisting of basis 
functions . . . , 0^} for the message space C{£M') represented in the form (5.1). (Note that 
this is the same representation used for encoding, and it is succinct by Lemma 5.3.) 



Proof. We first note that bound on fraction of errors follows from Theorem 6.4, and the fact 
that k = Rqh = RoNm = RQbr. By Lemma 6.1 and its proof, in Step 1 of the algorithm 
we can find a nonzero polynomial Q (of degree < q^) such that for any / G C{iM') that 
needs to be output by the list decoder, we must have Q{f, <7^(/), • • • , c^^-i (/)) = 0. We can 
evaluate the basis functions (f>i at Pj^^ in {Iq"^)^^^^ time by Lemma 5.4, and with this infor- 
mation, the running time of this interpolation step can be bounded by {Nm)^^^\w + s)^^'^^ = 
{Nm)^^^\s/C)^^'^ (since w = 0(s/C)). We can also efficiently compute the evaluations of (pi 
at A' in the representation suggested by Lemma 6.9. Therefore, by Lemma 6.8, we can then 
find a list of the at most q^^ functions / satisfying Q{f, o'Aif), • • • , c^^-i (/)) = in q^^^^^ 
time. □ 

Remark 6.11 (List Recovery). A similar claim holds for the more general list recovery prob- 
lem, where for each position we are given as input a set of up to I elements of F^, and the 
goal is to find all codewords which agree with some element of the input sets for at least a 
fraction (1 — p) of positions. In this case, 1-/3 only needs to be only a factor /^/^ larger than 
the bound (6.4). By picking s ^ I, the effect of / can be made negligible. This feature is very 
useful in concatenation schemes; see Section 7.1 and [6] for further details. 



7. Long codes achieving list decoding capacity 



We now describe the parameter choices which leads to capacity-achieving list-decodable codes, 
i.e., codes of rate Rq that can correct a fraction 1 — i?o— e of errors (for any desired < i?o < l). 
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and whose alphabet size is polylogarithmic in the block length; the formal statement appears in 
Theorem 7.1 below. (Recall that for folded RS codes, the alphabet size is a large polynomial in 
the block length.) Using concatenation and expander-based ideas, Guruswami and Rudra [6] 
also present capacity-achieving codes over a fixed alphabet size (that depends on the distance 
£ to capacity alone). The advantage of our codes is that they inherit strong list recovery 
properties similar to the folded RS codes (Remark 6.11). This is very useful in concatenation 
schemes, and indeed our codes can be used as outer codes for an explicit family of binary 
concatenated codes list-decodable up to the Zyablov radius, with no brute-force search for the 
inner code (see Section 7.1 below). 

We now describe our main result on how to obtain the desired codes from the construction C 
and Theorem 6.10. The underlying parameter choices to achieve this require a fair bit of care. 

Theorem 7.1 (Main). For every Rq, < Rq < 1, and every constant e > 0, the following 
holds for infinitely many integers q which are powers of two. There is a code of rate at least 
Rq over an alphabet of size q with block length N ^ 2*^"'^ /i°g(i/flo)) ^^^^ ^^^^ decoded up 

to a fraction 1 — Rq — £ of errors in time bounded by (N \og{l / Rq) / e"^)^^^^ ^^'^'^^ \ 



Proof. Suppose Rq, < Rq < 1, and e > are given. Let c = 2[-^J -|- 1, and (/)(c) denote the 
Euler's totient function of c. 

Let u ^ 1 be an arbitrary integer; we will get a family of codes by varying u. The code we 
construct will be a folded cyclotomic code C defined in Eq. (5.8). Let x = (j){c)u. Note that 
2^ = 1 (mod c). We first pick q,r,d as follows: r = 2^, q = r^, and d = (2^ — l)/c. For this 
choice, d\r — 1 and (g — l)/(r — 1) = r -|- 1 is coprime to d, as required in Lemma 4.1. So we 
can take M{T) = T'^ — 7 E ¥r[T] for 7 primitive in as the irreducible polynomial over ¥q. 

For the above choice d/r < 1/c ^ £Rq/20, so that < j^. By picking 

s = e(e-Mog(l/i?o)), m = e{s/e), 

and C = ^/20, we can ensure that the decoding radius p guaranteed in Eq. (6.4) by Theo- 
rem 6.10 is at least 1 — (1 -|- £)Rq. 

The degree b of the extension E/F (Eq. (4.1)) is given by 6 = ^-f^- The length of the unfolded 
cyclotomic code (defined in (5.7)) equals n = rb > r'^/2. We need to ensure that the rate 
of C^, which is equal to the rate of the folded cyclotomic code C, is at least Rq. To this end, 
we will pick 



(7.1) 



b Rorb' 
2 ^ d 



It is easily checked that for our choice of parameters £ ^ b. By Lemma 5.5, the rate of 
equals '^^^ ^tb^^^^'* ' which is at least Rq for the above choice of £. 

We next pick the value of D, the degree of the irreducible A, which is the key quantity 
governing the list size and decoding complexity. We need D > id/b. For the i chosen above, 
this condition is surely met if D > 2r. But there must also be an irreducible A of degree D 
that is a primitive root modulo M. Since we know the Riemann hypothesis for function fields, 
there is an effective Dirichlet theorem on the density of irreducibles in arithmetic progressions 
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(see [18, Thm 4.8]). This implies that when D S> 2d, such a polynomial A must exist (in fact 

D{qd--1) 



about a t^? d^}\ fraction of degree D polynomials satisfy the needed property) . We can thus 



pick 

D = e(r) = Q{dc) = e{d/{Roe)) . 

The running time of the list decoding algorithm is dominated by the q^^^^^ term, and for the 
above choice of parameters can be bounded by qOW{Ros?)_ ^he block length of the code N 
satisfies 



m 2m 2m \ log(l/-Ro) / 

As a function of N, the decoding complexity is therefore bounded by {N log{l / Rq) / e'^)'-'^^^^^"^^''\ 
The alphabet size of the folded cyclotomic code is q = g™, and we can bound the block length 
N from below as a function of q as: 

d/2 Sl{r/c) n(sRo^) 

N ^ - — ^- ^- 

2m 2m 2m 

^ 2^ (for large enough q compared to I/-R0) 1/^) 

This establishes the claimed lower bound on block length, and completes the proof of the 
theorem. □ 



7.1. Concatenated codes list-decodable up to Zyablov radius. Using the strong list 
recovery property of folded RS codes, a polynomial time construction of binary codes list- 
decodable up to the Zyablov radius was given in [6, Thm 5.3]. The construction used folded 
RS codes as outer codes in a concatenation scheme, and involved an undesirable brute-force 
search to find a binary inner code that achieves list decoding capacity. The time to construct 
the code grew faster than A^^^^/"^) where e is the distance of the decoding radius to the Zyablov 
radius. This result as well as our result below hold not only for binary codes but also codes 
over any fixed alphabet; for sake of clarity, we state results only for binary codes. 

Since the folded cyclotomic codes from Theorem 7.1 are much longer than the alphabet size, 
by using them as outer codes, it is possible to achieve a similar result without having to search 
for an inner code, by using as inner codes all possible binary linear codes of a certain rate! 

Theorem 7.2. Let < Ro,r < 1 and e > 0. Let C be a folded cyclotomic code guaranteed 
by Theorem 7.1 with rate at least Rq and a large enough block length N . Let C* be a binary 
code obtained by concatenating C with all possible binary linear maps of rate r ( each one used 
a roughly equal number of times). Then C* is binary linear code of rate at least Rq ■ r that can 
be list decoded from a fraction (1 — Ro)H~^{l — r) — e of errors in time. 



We briefly discuss the idea behind proving the above claim. As the alphabet size of folded 
cyclotomic codes is polylogarithmic in A^, each outer codeword symbol can be expressed 
using 0£(loglogA^) bits. Hence the total number of such inner codes S will be at most 
20e((iogiogiV) ) ^ for large enough N. The N outer codeword positions will be partitioned 
into S (roughly) equal parts in an arbitrary way, and each inner code used to encode all the 
outer codeword symbols in one of the parts. Most of the inner codes achieve list decoding 
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capacity — if their rate is r, they can hst decode H~^(l — r) — e fraction of errors with constant 
sized hsts (of size 2*^(^/^)). This suffices for analyzing the standard algorithm for decoding 
concatenated codes (namely, list decode the inner codes to produce a small set of candidate 
symbols for each position, and then list recover the outer code based on these sets). Arguing 
as in [6, Thm 5.3], we can thus prove Theorem 7.2. 
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Appendix A. Table of parameters used 

Since the construction of the cyclotomic function field and the associated error-correcting code 
used a large number of parameters, we summarize them below for easy reference. 

We begin by recalling the parameters concerning the function field construction: 

q size of the ground finite field 

r size of the subfield C 

F the field Fq(T) of rational functions 

Rt the ring of polynomials ¥q [T] 

Poo the place of F that is the unique pole of T 

M polynomial T*^ — 7 G Fr[r], irreducible over ¥q 

d degree of the irreducible polynomial M 

Cm the Carlitz action corresponding to M 

Am the M-torsion points in F^ under the action Cm 

K the cyclotomic function field F{A.m) 

A nonzero element of Km that generates K over F; K = F{X) 

G the Galois group of K/F, naturally isomorphic to {Rt/{M))* 

H the subgroup F* • ¥r[T] of G 

E the fixed field of H 

fi primitive element for E/F; E = F{fi) 

b the degree [E : F] of the extension E/F 

g the genus of E/F, equals d{b — l)/2 -|- 1 

The construction of the code (Eqn. (5.7)) and its folded version C (Eqn. (5.8)) used further 
parameters, listed below: 



M' 


the unique place of E lying above M 


£ 


maximum pole order at M' of message functions; i ^ b 


C{iM') 


Fq-linear space of messages of the codes 


n 


block length oi C^, n = br 


k 


dimension of the F^-linear code C, k = id — g + 1 


m 


folding parameter 


N 


block length of folded code C, N = n/m 


pW) 

j 


for f3 £¥r and ^ j < b, these are the rational places lying above T — (3 m. E 


A 


an irreducible polynomial (place of F) that remains inert in E/F 


D 


the degree of the polynomial A; satisfies Db > id 




the Artin automorphism of the extension E/F at A 


A' 


the unique place of E lying above A 
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Appendix B. Algebraic preliminaries 

We review some basic background material concerning global fields and their extensions. The 
term global field refers to either a number field, i.e., a finite extension of Q, or the function 
field L of an algebraic curve over a finite field, i.e., a finite extension oi F = ¥q{T). While we 
are only interested in the latter, much of the theory applies in a unified way to both settings. 
Good references for this material are the texts by Marcus [13] and Stichtenoth [21]. 

B.l. Valuations and Places. A subring X of L is said to be a valuation ring if for every 
z £ L, either z £ X or z~^ £ X. Each valuation ring is a local ring, i.e., it has a unique 
maximal ideal. The set of places of L, denoted P^,, is the set of maximal ideals of all the 
valuation rings of L. Geometrically, this corresponds to the set of all (non-singular) points 
on the algebraic curve corresponding to L. The valuation ring corresponding to a place P is 
called the ring of regular functions at P and is denoted Op. 

Associated with a place P is a valuation vp : L — > ZU{oo}, that measures the order of zeroes 
or poles of a function at P, a negative valuation implies the function has a pole at P (by 
convention we set vp{0) = oo). In terms of vp, we have Op = {x £ L \ vp{x) ^ 0} and 
P = {x £ L \ vp{x) > 0}. The valuation vp satisfies vp{xy) = vp{x) + vp{y) and the triangle 
inequality vp{x + y) ^ mm{v p{x),vp{y)} (and equality holds if vp{x) ^ vp{y)). 

The quotient Op/P is a field since P is a maximal ideal and it is called the residue field at P. 
The residue field Op/P is a finite extension field of F^; the degree of this extension is called 
the degree of P. We will also sometimes use the terminology primes to refer to places — the 
terms primes and places will be used interchangeably. 

B.2. Decomposition of primes in Galois extensions. We now discuss how primes de- 
compose in field extensions. Let K/L be a finite, separable extension of global fields of degree 
[K : L] = n. We will restrict our attention of Galois extensions. Let P be a place of L. Let O'p 
be the integral closure of Op in K, i.e., the set of all z £ K which satisfy a monic polynomial 
equation with coefficients in Op. The ideal PO'p can be written as the product of prime ideals 
of O'p as PO'p = (P1P2 . . . PrY. Here Pi, P2, . . . ,Pr are said to be the places of K lying above 
P (and P is said to be lie below each Pj). One has the equality Pj n L = P for every i. The 
ring O'p is the fact the intersection of Op. for i = 1,2, ... ,r. The quantity e is called the 
ramification index, and when e = 1, P (as well as the Pi) are said to be unramified. For x £ L, 
one has vp^{x) = e ■ vp{x). The residue field OpjPi is a finite extension of Op/P; the degree 
/ of this extension is called the inertia degree of P. The ramification index e, inertia degree 
/, and number r of primes above P satisfy e/r = n = [K : L\. 

If e = n and f = r = 1, the prime P is said to be totally ramified. If r = n and e = / = 1, the 
prime P is said to split completely. If / = n and e = r = 1, the prime P is said to be inert. 

B.3. Galois action on primes and the Artin automorphism. The Galois group G = 
Gal{K/L) acts transitively on the primes Pi, P2, . . . , Pr oi K lying above P € Pl. For each Pj, 
there is a subgroup D{Pi\P) C G that fixes P^; this is called the decomposition group of Pj. It 
is known that the decomposition is isomorphic to the Galois group of the finite field extension 
{O pJ Pi) / {O p / P) of the residue fields. Note that the latter group is cyclic and generated by 
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the Frobenius automorphism Frob mapping x x'^. The element of D{Pi\P) corresponding 
to Frob is called the Artin automorphism A{Pi\P) of Pi over P. 

When G is abelian (which covers the cases we are interested in), the decomposition group 
D{Pi\P) and the Artin automorphism A{Pi\P) are the same for every Pi, and they depend 
only on the prime P below. Denote the Artin automorphism at P by Ap. This has the 
following important property: 

Ap{x) = xH^II (mod Pi) 

for every x £ O'p and every prime Pi lying above P. If P is unramified, then is the only 
element of G with this property. In the unramified case, by Chinese Remaindering the above 
also implies 

Ap{x) = xll^ll (mod PO'p) 

for every x G O'p. 

Note that if P is inert with a unique prime P' lying above it, then D[P'\P) = G, and thus G 
must be cyclic. Thus, only cyclic extensions can have an inert prime. 
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